Econ 101: Absolute and Healthcare

If you’re keeping score, 2018 healthcare data breaches have passed 6.1 million so far. The Office for Civil Rights updated their ‘the wall of shame,’ last month with a new member—UnityPoint Health—when 1.4 million records were reported compromised on July 30. The investigation for PHI violations is ongoing.

Yes, cybercriminals want to get their mitts on protected health information (PHI). We all know this. But PHI’s guardians—providers, payers, clearinghouses, and their business associates—are doing battle on an attack surface with unfamiliar enemies using exotic weapons.

Cybercriminals have not fabricated new tactics, techniques, and procedures (TTPs); hoping through a vulnerable endpoint on your way to a network data repository is nothing new. Trouble is that the flank continues to be exposed and fragile. Not by malice or conscious neglect, but because when you’re in the throes of transforming care delivery, connecting patients, providers, and payers and adroitly adopting new technologies, errors happen.

As I’ve written about before, workforce mobility muddies the waters and IT teams have a difficult time just seeing where PHI is, let alone the potential risk to its myriad resting places. We know what happens next: OCR agents darken your door, legal teams, courts, appeals, fines, and public disgrace. To better protect PHI, IT leaders are taking various steps. When surveying the menu of options, it’s vital to assess the probability of success and withstanding attempts to break the bank on boondoggles that may seem promising but return little on the investment. It would be prudent to have the mindset of Gene Kranz, retired NASA Flight Director: “Failure is not an option”.

Today, data has been shattered, with tiny shards taking up residency on endpoints that span the globe; making endpoint security more relevant than ever.

How valuable is the effort? Forrester recently conducted a Total Economic Impact (TEI) study to show Absolute’s economic impact to drive security and financial success. To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed Absolute customers. Their insights were compiled and calculated in the Healthcare Edition of the 2018 Forrester Total Economic Impact™ Study.

Investment Drivers and Results

Healthcare organizations identified the following investment drivers:

The healthcare provider needed to become more proactive, rather than reactive, to security-related incidents.

Compliance with regulations like HIPAA and PCI-DSS was critical to ongoing business activities.

IT leaders needed to deter to malicious and non-malicious theft.

IT teams require the ability to reach off-network devices with urgent patches and updates.

When implementing Absolute, success followed:

Improved coverage and compliance. With Absolute, when machines can go off the corporate network, they remain in sight. SecOps is also empowered with better information to handle situations — it can see and control endpoints devices to isolate, freeze or wipe them when necessary. Staying compliant to regulatory measures became easier with automated telemetry-based rule sets.

Reduce underutilized resources and IT spend. Healthcare organizations gained insight into utilization rates for hardware and software assets, allowing for to decrease unnecessary IT spend. In addition to process improvements, malicious and accidental thefts collapsed.

Increased visibility into endpoints. Help desk efficiency increased as staff accessed timely information about laptops and other devices. Additionally, unauthorized hardware and apps creating risk of data breaches and fines were detected and purged.

According to the report, “before using Absolute, healthcare providers often had issues when devices left the network. Prior solutions were unable to provide endpoint visibility and control, which resulted in compliance failures. In some cases, these devices disappeared altogether, making endpoint security a difficult task. Evaluating security posture and proving compliance was a lengthy and difficult process, which led to missed business opportunities and corporate data exposure that prompted regulatory ramifications. By adopting Absolute, the interviewed organizations gained a centralized platform that more effectively assessed and secured a wide range of endpoints.”

With real-world data from healthcare organizations in hand, Forrester concluded that Absolute has a three-year financial impact of $3.5 million in present value (PV). With PV costs of $1.4 million, the resulting net present value (NPV) is $2.1 million; a return-on-investment (ROI) of 146%.

One Absolute customer, an IT security leader, told Forrester “I think it [Absolute] is data protection assurance and satisfies compliance standards. I can sleep at night…”

About The Author

Josh is Absolute’s Director of Security Strategy and works with Absolute customers to leverage technology for stronger cybersecurity, continuous compliance, and reduced risk on the attack surface. He has spent years in cybersecurity with a special focus on network security, threat hunting, identity management, and endpoint security. His research has been featured in leading security publications including, SC Magazine, Infosec, and Dark Reading, and he is often cited by business and tech journalists for his analysis of cryptocurrencies, security operations, and attacker psychology.